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1  Introduction 

At  a  small  public  school  in  a  New  York  City  suburb,  Mary  Demerec  taught  science  to  kindergarten  through 
eighth  grade  students.  It  was  a  remarkable  set  of  classes.  Mrs.  Demerec  was  among  the  first  women,  if 
not  the  first  woman,  to  receive  a  degree  in  Electrical  Engineering  from  Cornell  University.  Eor  personal 
reasons,  she  chose  a  life  of  teaching  and  her  many  students  benefitted  from  that  choice. 

Mrs.  Demerec’s  classroom  was  like  no  other.  Housed  in  the  old  cafeteria  in  the  school  basement, 
it  had  been  converted  into  a  science  wonderland.  Science  was  eagerly  anticipated  by  all  of  her  students. 
Although  I  remember  being  issued  a  science  textbook  and  flipping  through  it,  the  book  and  lectures  weren’t 
part  of  the  class.  Instead,  we  “experimented.”  Our  “experiments”  were  trivial  for  the  younger  students.  Eor 
example,  in  fourth  grade  I  painted  some  cardboard  boxes  to  look  like  houses  and  electrified  my  little  town. 
Everything  was  crude  and  homemade.  Small  blocks  of  wood  onto  which  strips  of  metal  were  attached 
with  nails  served  as  our  breadboards.  Holes  in  the  metal  were  sockets  for  flashlight-size  bulbs.  Some  of 
the  metal  strips  could  be  touched  together  to  form  switches.  Wires  were  strung  up  to  batteries.  At  the  age 
of  eight,  I  learned  the  difference  between  series  and  parallel  circuits  and  how  to  hook  them  up. 

No  one  else  had  a  project  like  mine.  Mrs.  Demerec,  helped  each  child  pick  an  experiment  that  best  fit 
his  or  her  capabilities  and  inclinations.  A  boy  in  my  class  had  a  project  that  involved  a  lot  of  hammering. 
He  was  active  and  not  very  studious.  He  may  not  have  learned  the  same  material  as  I,  but  both  of  us  loved 
Science  and  wanted  to  be  there. 

Occasionally  there  was  a  demonstration,  usually  performed  on  something  from  the  fish  market  or  the 
butcher  shop:  fish  eyes  and  brains;  cow  eyes  and  brains;  meatless  lamb  legs  and  shoulders.  These  too  were 
memorable  events,  but  not  the  heart  of  the  learning  experience. 

Our  grade-school  science  program  was  “research  for  children.”  It  exemplified  the  Socratic  method  in 
the  extreme.  We  were  excited  about  learning  and  were  learning  to  think  for  ourselves. 

Today  we  are  all  taking  our  first  few  steps  in  a  new  world.  One  in  which  information  technology  will 
transform  practically  every  aspect  of  our  lives.  We  as  individuals,  small  businesses,  corporations,  and 
nations  cannot  accomplish  our  work  using  computers  without  computer  security.  Eor  this  reason,  we  need 
computer  security  education  programs,  but  more  importantly,  we  need  people  to  help  us  build  this  new 
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world.  We  need  to  produce  graduates  who  are  enthusiastic  and  creative.  Research  is  one  of  the  best  ways 
to  achieve  this  objective. 


2  Creating  the  Future 

To  understand  the  applicability  of  research  to  information  systems  security  education  the  notion  of  research 
must  be  defined  and  interpreted  in  the  context  of  this  field. 

A  dictionary  definition  [1]  of  research  is 

Studious  inquiry  or  examination;  esp:  investigation  or  experimentation  aimed  at  the  discovery 
and  interpretation  of  facts,  revision  of  accepted  theories  or  laws  in  the  light  of  new  facts,  or 
practical  application  of  such  new  or  revised  theories  or  laws. 

Obviously,  in  computer  science  and  computer  engineering,  researchers  are  not  in  the  business  of  dis¬ 
covering  new  laws  of  nature.  Instead  we  rely  upon  a  mathematical  foundation  built  upon  certain  axioms  as 
a  basis  for  research  in  two  principal  areas.  The  first  is  theory,  or  the  extension  of  the  mathematical  founda¬ 
tion.  The  second  is  to  translate  that  mathematical  foundation  to  the  tangible  world  through  the  application 
of  technology.  We  construct  abstract  models  of  how  systems  should  operate  and  then  create  technical  mod¬ 
els,  specifications,  designs,  and  implementations  of  experimental  systems.  Experiments  are  performed  on 
those  systems  which  may  force  us  to  pursue  additional  mathematical  extensions  of  our  theory,  create  new 
models,  and  continue  the  cycle.  These  discoveries  permit  us  to  articulate  principles  for  building  systems 
of  computers.  Those  principles  become  the  cornerstone  for  advances  in  engineering  and  technology. 

To  apply  this  recurring  cycle  of  theory,  model,  and  experiment  to  computer  security,  we  need  only 
narrow  the  field  of  discourse.  Security  research  attempts  to  satisfy  certain  requirements,  usually  articulated 
in  terms  of  policy  related  to  the  confidentiality,  integrity,  and  availability  of  information  resources,  on 
complex  man-made  systems. 

What  is  important  to  realize  is  that  computer  security  research,  like  all  other  research,  is  experimental 
in  nature.  This  means  that  sometimes  things  don’t  work  the  way  we  may  have  hoped  they  would.  However, 
negative  results  are  not  necessarily  bad  results.  They  can  lead  to  new  insights  and  new  developments.  That 
is  why  we  call  it  research. 

Research  has  a  “blue-sky”  quality  that  allows  us  to  not  only  consider  current  technology  but  to  create 
the  future.  It  is  a  highly  creative  process.  The  creative  thinker  has  time  to  ponder.  Throughout  his  career, 
the  late  Richard  Hamming  set  aside  most  of  each  Friday  to  “think  great  thoughts.”  New  ideas  result  from 
having  the  luxury  of  expansive  thinking  that  a  good  research  program  can  provide. 

3  Educational  Benefits  of  INFOSEC  Research 

The  integration  of  research  into  a  program  of  computer  security  education  benefits  not  only  students, 
but  their  teachers,  and,  ultimately,  the  institutions  and  enterprises  that  will  hire  the  graduates  of  these 
pedagogical  programs. 
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3.1  Enthusiasm 


Computer  Security  is  an  exciting  field.  It  is  possible  to  stimulate  student  vicariously  with  tales  of  others’ 
computer  secmity  exploits  and  adventures,  but  from  my  observations  it  appears  that  being  involved  in  the 
exploration  oneself  is  even  more  engaging.  The  adventure  of  exploring  the  unknown  raises  the  level  of 
enthusiasm  by  at  least  an  order  of  magnitude. 

3.2  Preparation 

It  is  difficult  to  extend  the  boundaries  of  knowledge  if  you  do  not  understand  that  which  is  known.  To  do 
this,  underlying  principles  and  facts  must  be  internalized  so  that  they  can  be  creatively  applied  in  a  new 
context.  Despite  the  best  lecture  and  laboratory  materials,  a  problem  often  does  not  become  real  until  the 
student  has  had  to  grapple  with  it  alone. 

3.3  Creative  learning 

Some  may  argue  that  interactive,  computer-based  learning  programs  are  active  learning,  but  is  this  really 
so?  Even  multimedia,  web-based  activities  are  generally  passive  and  tethered  to  the  instructor.  Yes,  the 
student  is  actively  selecting  from  drop-down  menus  and  typing,  but  in  many  cases  the  clever,  and  not-so- 
clever,  student  can  guess  what  the  instructor  wants;  it  easily  becomes  rote  learning. 

In  contrast,  research  cannot  be  passive.  It  demands  active  involvement  and  creativity.  The  teacher 
can  act  as  a  guide,  helping  students  avoid  blind  alleys  and  pitfalls,  but  the  students  must  do  the  work. 
Involvement  is  complete.  Students  lie  awake  at  night  pondering  research  problems. 

Even  when  the  instructional  program  has  been  very  thorough,  a  research  topic  will  require  understand¬ 
ing  additional  background  material.  The  student  will  conduct  a  survey  of  the  research  area  and  become  an 
expert  on  the  topic  at  hand.  In  addition,  research  often  involves  cross  fertilization. 

Computer  systems  are  tremendously  complex  and  students  learn  this.  They  learn  that  although  an 
individual  may  create  a  fabulous  application  it  must  work  in  a  networked  world  and  will  depend  upon 
other  components  of  the  system.  Since  security  must  be  built  into  systems,  be  they  single  computers 
or  large-scale  networks,  students  must  often  engage  in  some  level  of  systems  engineering.  They  must 
consider  how  all  of  the  various  components  will  connect  and  work  together.  Security  mechanisms  result 
from  the  desire  to  control  who  has  access  to  portions  of  an  enterprise’s  work,  which  includes  programs 
as  well  as  data.  Students  must  consider  how  security  policy  enforcement  will  interact  with  other  system 
requirements.  Concepts  from  many  areas  of  computer  science  or  even  from  other  fields  may  be  applicable 
to  the  research  problem.  As  the  student  explores  new  areas,  and  talks  to  a  broad  research  community, 
cross-fertilization  takes  place  and  new  ideas  may  emerge. 

As  students,  we  learn  about  the  scientific  method.  We  learn  of  Aristotelians  who  thought  about  how 
the  world  was  and  the  Renaissance  experimentalists  who  actually  took  a  look  and  found  out.  Galileo’s 
notion  of  conducting  an  experiment  is  memorized  and  recited:  Problem,  Hypothesis,  Procedure,  Data,  and 
Conclusions.  To  conduct  research,  one  must  apply  these  principles  and  create  a  method  for  attacking  the 
problem  at  hand.  Thus  students  learn  not  only  the  scientific  method,  but  project  organization. 

Students  conducting  research  can  engage  in  discourse  with  those  in  academe  and  industry.  Most  com¬ 
puter  security  research  is  of  interest  to  someone  beyond  the  hallowed  halls  of  one’s  institution.  Eor  ex¬ 
ample,  the  computer  security  research  of  the  Naval  Postgraduate  School  Center  for  Information  Systems 
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Security  Studies  and  Research  (NPS  CISR)  [2]  has  involved  the  interest  of,  and  often  collateral  participa¬ 
tion  hy,  researchers  and  developers  from  the  military  services  and  Department  of  Defense  (DoD)  activities, 
the  U.S.  Government,  federally  funded  research  and  development  centers  (FFRDCs),  other  academic  in¬ 
stitutions,  and  numerous  hardware  and  software  vendors. 

By  presenting  their  results  at  conferences  or  in  papers,  and  in  theses  and  dissertations,  students  are 
able  to  distill  their  work  and  share  it  with  a  hroad  community. 

Completion  of  a  research  project  teaches  the  student  that  he  or  she  is  capable  of  extending  that  which 
is  known.  Ordinarily,  we  fear  the  unknown,  but  by  having  learned  a  method  for  probing  and  pushing  back 
the  limits  of  knowledge  we  can  view  the  unknown  as  a  challenge  that  can  be  overcome  a  little  bit  at  a  time. 
This  provides  graduates  with  the  confidence  to  pursue  new  ideas  throughout  their  careers. 

3.4  Beyond  Students 

Students  are  not  the  only  ones  who  benefit  from  research-based  education  programs.  Professors  and  teach¬ 
ers  benefit  by  helping  students  chose  topics  that  will  further  their  overall  research  objectives.  They  create 
the  team  that  works  together  to  solve  specific  research  problems.  Students  learn  how  to  be  team  players 
yet  retain  their  individuality.  Good  academic  research  groups  produce  graduates  who  know  how  to  work 
in  a  team  to  build  upon  each  other’s  accomplishments. 

For  teachers,  pursuit  of  research  gives  us  a  depth  of  understanding  that  cannot  be  developed  through 
reading  textbooks  and  magazine  articles.  We  must  understand  the  subject  inside  out.  We  must  attend 
conferences  and  read  proceedings,  journals  and  seminal  papers.  The  depth  of  understanding  that  results 
will  be  reflected  in  our  classroom  instruction.  We  know  about  the  exciting  places  the  topics  in  the  lecture 
notes  can  lead. 

Our  research  keeps  us  current.  We  are  enthusiastic  about  solving  a  problem  and  convey  that  enthusiasm 
not  only  to  the  students  with  whom  we  are  conducting  research,  but  to  the  many  students  in  our  classes  for 
whom  computer  security  will  not  be  a  career  objective. 

Through  research  on  critical  problems  in  computer  security,  academic  programs  create  ways  to  provide 
better  system  security  where  it  was  previously  inadequate  or  absent.  For  science  and  industry,  research- 
based  educational  programs  not  only  produce  students  who  know  how  to  learn  for  themselves  and  think 
creatively,  these  groups  solve  problems  and  push  the  envelope  of  our  understanding  of  how  systems  can 
be  constructed  and  used. 

4  Summary 

In  ten  to  fifteen  years,  computers  will  be  even  more  ubiquitous  than  they  are  today.  Computer  security 
will  remain  an  important  hidden  factor  in  maintaining  personal  privacy,  enterprise  competitiveness,  and 
national  security.  Academe  will  need  new  teachers  to  conduct  research  and  lead  students  into  the  unknown. 
Industry  will  need  individuals  who  can  address  enterprise-level  information  systems  security  problems. 
Research-based  academic  efforts  foster  the  atmosphere  in  which  we  can  nurture  those  individuals  who 
will  create  the  future. 
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